OBJECTIVE 5.4 Summarize
Summarize elements of effective security compliance
Compliance is meeting the requirements imposed by laws, regulations, industry standards, and contractual obligations. It’s not optional, and penalties for non-compliance can be severe — fines, lawsuits, loss of business, or criminal liability.
Regulatory Frameworks
GDPR (General Data Protection Regulation)
EU regulation governing personal data of EU residents.
- Applies to any organization processing EU resident data, regardless of where the org is located
- Key requirements: Lawful basis for processing, data subject rights (access, deletion, portability), 72-hour breach notification, Data Protection Officer (DPOData Protection Officer — Required by GDPR for certain organizations) for certain orgs, privacy by design
- Penalties: Up to 4% of annual global revenue or €20 million, whichever is greater
HIPAA (Health Insurance Portability and Accountability Act)
US regulation protecting healthcare data (PHIProtected Health Information — Health-related PII under HIPAA — Protected Health Information).
- Applies to covered entities (healthcare providers, insurers) and their business associates
- Security Rule: Technical, physical, and administrative safeguards for ePHI
- Privacy Rule: How PHIProtected Health Information — Health-related PII under HIPAA can be used and disclosed
- Breach Notification Rule: Notification requirements when PHIProtected Health Information — Health-related PII under HIPAA is compromised
PCI-DSS (Payment Card Industry Data Security Standard)
Industry standard for organizations that handle credit card data.
- Not a law — contractual requirement from card brands (Visa, Mastercard, etc.)
- 12 requirements covering network security, data protection, access control, monitoring, testing
- Quarterly vulnerability scans by Approved Scanning Vendor (ASVApproved Scanning Vendor — PCI-DSS authorized external vulnerability scanner)
- Annual assessment (Self-Assessment Questionnaire for small merchants, on-site audit for large)
SOX (Sarbanes-Oxley Act)
US law requiring internal controls over financial reporting for publicly traded companies.
- ITInformation Technology — Broad term for computing infrastructure and services controls are in scope because financial data flows through ITInformation Technology — Broad term for computing infrastructure and services systems
- Section 404: Management must assess and report on internal control effectiveness
GLBA (Gramm-Leach-Bliley Act)
US law requiring financial institutions to protect customer financial information.
- Safeguards Rule: Risk assessment, employee training, vendor oversight
FERPA (Family Educational Rights and Privacy Act)
US law protecting student education records.
CCPA/CPRA (California Consumer Privacy Act / California Privacy Rights Act)
California privacy regulation — often called “US GDPRGeneral Data Protection Regulation — EU data privacy regulation.”
- Consumer rights: know what data is collected, delete data, opt out of sale
- Applies to businesses meeting revenue/data thresholds
Key Compliance Distinctions
Due Diligence vs. Due Care
CompTIA tests this explicitly. Know the difference cold.
- Due diligence: The investigation and research before making a decision. Identifying risks, evaluating controls, understanding regulatory requirements. “Did you do your homework?”
- Due care: The ongoing implementation and maintenance of reasonable protections after you know the risks. “Are you doing what a reasonable person would do?”
| Concept | When | Example |
|---|---|---|
| Due diligence | Before/during planning | Conducting a risk assessment before adopting a cloud provider |
| Due care | Ongoing operations | Applying patches promptly after they’re released |
Failure of due diligence = negligence in preparation. Failure of due care = negligence in execution. Both create legal liability.
Attestation vs. Acknowledgement
- Attestation: A formal declaration that something is true, typically by a qualified third party. An auditor attests that controls are operating effectively. A SOC 2 report is an attestation.
- Acknowledgement: Confirmation that a person has received and understood information. An employee acknowledging the AUPAcceptable Use Policy — Policy defining permitted use of org resources isn’t attesting to its accuracy — they’re confirming they read it.
Data Roles
| Role | Responsibility | Example |
|---|---|---|
| Data Owner | Business executive who decides classification and access policy | VP of Finance owns financial data |
| Data Steward | Ensures data quality, integrity, and proper use within policy | Database admin who enforces naming conventions, validates data accuracy |
| Data Custodian | Implements technical controls the owner defines | Sysadmin who configures encryption and backups |
| Data Controller | Determines purposes and means of processing (GDPRGeneral Data Protection Regulation — EU data privacy regulation term) | The company collecting customer data |
| Data Processor | Processes data on behalf of the controller | A cloud provider storing that data |
Exam trap: Data steward ≠ data custodian. The steward focuses on data quality and governance within business rules. The custodian focuses on technical implementation of protections.
Breach Notification Requirements
Notification timelines vary by regulation. CompTIA expects you to know the key ones:
| Regulation | Notification Deadline | Who Must Be Notified |
|---|---|---|
| GDPRGeneral Data Protection Regulation — EU data privacy regulation | 72 hours to supervisory authority | Authority + affected individuals if high risk |
| HIPAAHealth Insurance Portability and Accountability Act — US healthcare data protection law | 60 days to HHS + individuals | HHS, affected individuals, media if >500 people |
| PCI-DSSPayment Card Industry Data Security Standard — Credit card data protection standard | ASAP (no fixed timeline) | Card brands, acquiring bank |
| State breach laws | Varies (30–90 days typical) | State AG, affected residents |
- Clock starts when the breach is discovered, not when it occurred
- “Discovery” means when the org knew or should have known — willful ignorance doesn’t stop the clock
- Notification must include: what happened, what data was involved, what the org is doing about it, what affected individuals should do
Data Retention and Classification
Retention Periods by Regulation
| Regulation | Retention Period | What’s Retained |
|---|---|---|
| PCI-DSSPayment Card Industry Data Security Standard — Credit card data protection standard | 1 year (audit logs) | Cardholder data environment logs |
| SOXSarbanes-Oxley Act — US financial reporting controls law | 7 years | Financial records, audit workpapers |
| HIPAAHealth Insurance Portability and Accountability Act — US healthcare data protection law | 6 years | PHIProtected Health Information — Health-related PII under HIPAA-related documentation, policies |
| GDPRGeneral Data Protection Regulation — EU data privacy regulation | No longer than necessary | Personal data (purpose limitation) |
| IRS | 7 years | Tax-related financial records |
- Retention policies must address both minimum (hold at least this long) and maximum (delete after this long) periods
- GDPR’s “storage limitation” principle means you can’t keep data indefinitely “just in case”
- Retention applies to backups too — a backup containing data past its retention period is a compliance violation
Data Inventory and Classification
Data classification is a prerequisite for compliance, not a separate activity:
- Inventory: Identify what data you have, where it lives, who accesses it
- Classify: Apply labels based on sensitivity (Public, Internal, Confidential, Restricted)
- Map to requirements: Which regulations apply to which data categories
- Apply controls: Controls proportional to classification level
- Monitor: Ongoing verification that classified data is handled according to policy
Without a data inventory, compliance is guesswork. You can’t protect what you don’t know you have.
Compliance Monitoring
Automated vs. Periodic Monitoring
- Automated/continuous: Real-time compliance checking via tools (CSPMCloud Security Posture Management — Monitors cloud configurations for misconfigurations for cloud, SIEMSecurity Information and Event Management — Centralized log collection, correlation, and alerting for log retention, configuration management for baselines). Catches drift immediately.
- Periodic: Scheduled reviews — quarterly access reviews, annual policy reviews, monthly control testing. Catches issues on a cadence.
- Best practice is both: automated monitoring for technical controls, periodic reviews for procedural and administrative controls.
Gap Remediation Tracking
- Gaps identified during audits or monitoring must be tracked to closure
- Plan of Action and Milestones (POA&M): Formal document listing each gap, remediation steps, responsible party, and deadline
- Compensating controls may be acceptable while permanent fixes are implemented
- Regulators and auditors want to see progress, not perfection — but they want to see documented progress
Master Regulatory Comparison
One table to rule them all. CompTIA loves “which regulation applies?” questions.
| Regulation | Applies To | Protects | Key Requirements | Penalties | Retention | Breach Notification |
|---|---|---|---|---|---|---|
| GDPRGeneral Data Protection Regulation — EU data privacy regulation | Any org processing EU resident data | Personal data of EU residents | Lawful basis, DPOData Protection Officer — Required by GDPR for certain organizations, privacy by design, data subject rights | Up to 4% global revenue or €20M | No longer than necessary | 72 hours to authority |
| HIPAAHealth Insurance Portability and Accountability Act — US healthcare data protection law | Healthcare providers, insurers, business associates | PHIProtected Health Information — Health-related PII under HIPAA (Protected Health Information) | Technical/admin/physical safeguards, BAAs, minimum necessary | Up to $1.5M per violation category/year | 6 years (documentation) | 60 days to HHS + individuals |
| PCI-DSSPayment Card Industry Data Security Standard — Credit card data protection standard | Any org handling payment card data | Cardholder data | 12 requirements, quarterly ASVApproved Scanning Vendor — PCI-DSS authorized external vulnerability scanner scans, annual assessment | Contract penalties, increased fees, loss of card processing | 1 year (audit logs) | ASAP to card brands + acquirer |
| SOXSarbanes-Oxley Act — US financial reporting controls law | US publicly traded companies | Financial reporting integrity | Section 404 internal controls, audit trails | Fines, prison (up to 20 years for willful violation) | 7 years | N/A (SEC filings) |
| GLBAGramm-Leach-Bliley Act — US financial data protection law | US financial institutions | Customer financial information | Safeguards Rule, privacy notices, vendor oversight | Fines per violation | Varies | State-specific |
| FERPAFamily Educational Rights and Privacy Act — US student data privacy law | Educational institutions receiving federal funding | Student education records | Consent for disclosure, access rights, amendment rights | Loss of federal funding | Varies by record type | No federal requirement |
| CCPACalifornia Consumer Privacy Act — California data privacy regulation/CPRA | Businesses meeting CACertificate Authority — Entity that issues and signs digital certificates revenue/data thresholds | CACertificate Authority — Entity that issues and signs digital certificates consumer personal information | Right to know, delete, opt-out of sale, correct | $2,500/violation, $7,500/intentional | Reasonable period | No specific timeline |
| SOC 2 | Service organizations (voluntary) | Customer data (Trust Services Criteria) | Security, availability, processing integrity, confidentiality, privacy | N/A (market consequence) | Per engagement | Per contract |
Exam decision logic:
- Healthcare data → HIPAAHealth Insurance Portability and Accountability Act — US healthcare data protection law
- EU personal data → GDPRGeneral Data Protection Regulation — EU data privacy regulation
- Credit card numbers → PCI-DSSPayment Card Industry Data Security Standard — Credit card data protection standard
- Student records → FERPAFamily Educational Rights and Privacy Act — US student data privacy law
- Financial reporting → SOXSarbanes-Oxley Act — US financial reporting controls law
- California residents → CCPACalifornia Consumer Privacy Act — California data privacy regulation/CPRA
- Customer financial data → GLBAGramm-Leach-Bliley Act — US financial data protection law
- “Which has the shortest breach notification?” → GDPRGeneral Data Protection Regulation — EU data privacy regulation (72 hours)
- “Which has the highest penalties?” → GDPRGeneral Data Protection Regulation — EU data privacy regulation (percentage of global revenue)
Compliance vs. Security
Compliance ≠ Security. An organization can be compliant and insecure, or secure and non-compliant.
- Compliance is the minimum baseline — the floor, not the ceiling
- Compliance frameworks can lag behind current threats
- Checkbox compliance without genuine security investment creates a false sense of safety
- However, compliance drives accountability and funding that might not otherwise exist
Compliance Elements
Policies and Procedures
Documented controls that demonstrate how requirements are met.
- Must be current, approved, and distributed to relevant personnel
Evidence Collection
Proof that controls are implemented and operating effectively.
- Logs, configurations, screenshots, tickets, training records
- Must be maintained for the retention period required by the standard
Internal Monitoring
Continuous or periodic self-assessment to verify compliance is maintained.
- Automated compliance monitoring tools
- Regular control testing and validation
- Gap remediation tracking
Reporting
Demonstrating compliance to regulators, auditors, or business partners.
- Compliance reports, attestation letters, certification documents
- Incident reporting within required timeframes (GDPRGeneral Data Protection Regulation — EU data privacy regulation 72-hour requirement)
Data Privacy
Key Concepts
- PIIPersonally Identifiable Information — Data that can identify an individual (Personally Identifiable Information): Data that can identify an individual (name, SSN, email, IPInternet Protocol — Network layer addressing and routing address in some jurisdictions)
- PHIProtected Health Information — Health-related PII under HIPAA (Protected Health Information): Health-related PIIPersonally Identifiable Information — Data that can identify an individual under HIPAAHealth Insurance Portability and Accountability Act — US healthcare data protection law
- Data sovereignty: Legal requirement that data is subject to the laws of the country where it’s stored
- Data localization: Requirement that data must be stored within specific geographic boundaries
- Privacy Impact Assessment (PIAPrivacy Impact Assessment — Evaluation of how a system affects privacy): Evaluation of how a project or system affects individual privacy
Data Subject Rights (GDPR model)
- Right of access: See what data is held about you
- Right to rectification: Correct inaccurate data
- Right to erasure (“right to be forgotten”): Request deletion of personal data
- Right to portability: Receive your data in a portable format
- Right to object: Opt out of certain data processing
Consent
- Must be freely given, specific, informed, and unambiguous
- Pre-checked boxes are not valid consent under GDPRGeneral Data Protection Regulation — EU data privacy regulation
- Must be as easy to withdraw as to give
Consequences of Non-Compliance
- Financial: Fines (GDPRGeneral Data Protection Regulation — EU data privacy regulation fines regularly in millions), contract penalties
- Legal: Lawsuits, regulatory action, criminal charges for willful negligence
- Reputational: Loss of customer trust, public disclosure of failures
- Operational: Loss of ability to process payments (PCI-DSSPayment Card Industry Data Security Standard — Credit card data protection standard), loss of government contracts
Offensive Context
Compliance frameworks exist because organizations historically failed to implement basic security without external pressure. From the offensive side, compliance documentation is reconnaissance gold — it tells the attacker what controls are supposedly in place. The gap between documented compliance and actual implementation is where attackers find opportunity. “We’re PCI compliant” means nothing if the controls are poorly implemented or scope is minimized to pass the audit rather than genuinely protect cardholder data.